Lowering the priority of IPv6

It took one day to lower the priority of IPv6 on one of the servers at Hetzner.de, as the IPv6 network was unstable, some hosts were periodically unavailable by IPv6, delays appeared, etc.

To decrease the priority, just open the /etc/gai.conf file in the text editor (for example, nano, in which Ctrl+X to exit, and y/n to save or cancel changes):

nano /etc/gai.conf

Find the line there:

#precedence ::ffff:0:0/96  100

And uncomment it or add:

precedence ::ffff:0:0/96  100

Done.

Connecting SFP-RJ45 Modules to the Cisco 6500

It took a couple of days ago to the Cisco Catalyst 6509-E in which there were modules only with SFP ports to connect a few links with RJ45.

Since RJ45 links are small, it was more economical to use SFP-RJ45 modules, so they were ordered.
I connected them to the ports WS-X6724-SFP, but nothing was displayed in the logs.

Let’s write commands so that Cisco does not disable ports when inserting unsupported modules:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

I note that the ports WS-X6724-SFP in my case work only at 1Gb speed, so the link will not naturally rise to 100Mb or 10MB, although the Foxgate SFP-RJ45 modules that we had and support 10/100/1000.

In confirmation of this I checked the commands:

configure t
interface gigabitEthernet 1/1
speed ?

What was the opportunity to specify the speed of the port only in 1000.

See also:
Configure Cisco Catalyst 6509-E

How to create a MySQL user and configure access rights

To create a user, we first connect to the MySQL server console:

mysql

Let’s see what users are:

select * from mysql.user;
select user,host from mysql.user;

Create a user (where localhost is specified from where the user can connect, you can specify the IP address, localhost – from the local machine where the MySQL server itself, or % from any addresses):

CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';

If you intend to connect not only locally, you need to comment out the line in my.cnf:

#bind-address = 127.0.0.1

And restart the MySQL server:

sudo service mysql restart

After that, I recommend restricting access to MySQL using IPTables.
See also – Configuring IPTables

To assign the newly created user unlimited permissions to a specific database, execute the following command:

GRANT ALL PRIVILEGES ON database_name.* TO 'user'@'localhost';

If necessary on all bases:

GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost';

You can specify specific access rights:

GRANT SELECT ON database_name.* TO 'user'@'localhost';
GRANT SELECT, INSERT ON database_name.table_name TO user@192.168.1.5;

If you want to create a new database:

CREATE DATABASE database_name;

For the changes to take effect, execute:

FLUSH PRIVILEGES;

You can delete the user as follows:

DROP USER 'user'@'localhost';

Example of viewing privileges:

SHOW GRANTS FOR 'user'@'localhost';
SHOW GRANTS;
SELECT * FROM information_schema.user_privileges;

Installing system-config-samba

system-config-samba – a simple application for configuring samba with a graphical interface.

Installing by the command:

sudo apt-get install system-config-samba

Running:

sudo system-config-samba

Allows you to add shared folders, samba users, assign permissions to folders, etc., all changes are saved to samba configuration files.

See also:
Installing and Configuring Samba on Linux

How to delete an invalid phone and email from Privat24

There were somehow many invalid phone numbers and email addresses in Privat24, I wanted to delete them, the tick “Actual” was naturally removed.

After communicating with technical support, I was informed that you can delete the email yourself by sending an SMS with the text OFF + mail@example.com to number 10060, where mail@example.com is the address of the current mail (when abroad, SMS should be sent to +380920003700).

And the operator of technical support made an application for removing phone numbers on their own and after a while they disappeared from the settings of the account.

Configuring Bind9 logs

By default, Bind9 logs are written to the system log / var / log / syslog and to separate them, I will perform the actions that I will point out below.

On the test, I will configure Bind9 in Ubuntu Server 16.04.
Open the main Bind9 configuration file, for example, in the nano editor (Ctrl+X for exit, y/x for saving or canceling changes):

sudo nano /etc/bind/named.conf

Add to its end:

logging {
    channel bind.log {
        file "/var/lib/bind/bind.log" versions 10 size 20m;
        severity notice;
        print-category yes;
        print-severity yes;
        print-time yes;
    };

        category queries { bind.log; };
        category default { bind.log; };
        category config { bind.log; };
};

severity indicates the level of logging, it can be: critical, error, warning, notice, info, debug, dynamic.

The second example, or you can configure the saving of logs in different files:

logging {
          channel "misc" {
                    file "/var/log/named/misc.log" versions 4 size 4m;
                    print-time YES;
                    print-severity YES;
                    print-category YES;
          };

          channel "query" {
                    file "/var/log/named/query.log" versions 4 size 4m;
                    print-time YES;
                    print-severity NO;
                    print-category NO;
          };

          category default {
                    "misc";
          };

          category queries {
                    "query";
          };
};

I will give you another example:

logging {
          channel "misc" {
                    file "/var/log/named/misc.log" versions 10 size 10m;
                    print-time YES;
                    print-severity YES;
                    print-category YES;
          };

          channel "query" {
                    file "/var/log/named/query.log" versions 10 size 10m;
                    print-time YES;
                    print-severity NO;
                    print-category NO;
          };

          channel "lame" {
                    file "/var/log/named/lamers.log" versions 1 size 5m;
                    print-time yes;
                    print-severity yes;
                    severity info;
          };

          category "default" { "misc"; };
          category "queries" { "query"; };
          category "lame-servers" { "lame"; };

};

Restart Bind9 to apply the changes:

sudo /etc/init.d/bind9 restart

You can make a reference to /var/log/ to make it easier for others to find them:

sudo ln -s /var/lib/bind/ /var/log/

To see logs in real time, you can use the command (Ctrl+C to stop the preview):

sudo tail -f /var/lib/bind/bind.log

If logging is done in a non-standard directory, then you need to allow this in the apparmor:

sudo nano /etc/apparmor.d/usr.sbin.named

See also:
Installing and Configuring DNS Server BIND9

Installing and Configuring DNS Server BIND9

BIND (Berkeley Internet Name Domain) — open and the most common implementation of the DNS server, which ensures that the DNS name is converted to an IP address and vice versa.

Installing in Linux Ubuntu:

sudo apt-get install bind9

Stop / Start / Restart Bind9:

sudo /etc/init.d/bind9 stop/start/restart

To use the local DNS, you need to register in /etc/resolv.conf:

nameserver 127.0.0.1

We edit the configuration files in the /etc/bind/ directory for your needs.

Open the configuration file named.conf.options for example in the text editor nano:

sudo nano /etc/bind/named.conf.options

First, add ACLs with networks that will be allowed to query the DNS server:

acl localclients {
localhost;
localnets;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};

In options, we specify this ACL by resolving queries:

allow-recursion { localclients; };
allow-query { localclients;};
allow-query-cache { localclients; };

You can specify the IP addresses on which bind9 will work:

listen-on {
      127.0.0.1;
      192.168.1.1;
    };

Or at all:

listen-on { any; };

Alternatively, you can specify the addresses to which recursion is allowed, so that DNS does not serve the requests of all clients, but only those specified (all other unregistered addresses will be able to receive only the information specified in this DNS):

allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/16; };

The correctness of the settings can be checked by the following command (if it did not say anything, it means everything is in order):

named-checkconf

Apply the changes:

sudo rndc reload

or so:

sudo  /etc/init.d/bind9 restart

Verification:

rndc status
netstat -lnp | grep :53
sudo ps -ax | grep bind

From Windows, you can check with the command (where 192.168.1.1 is the address of bind9):

nslookup example.com 192.168.1.1

You can clear the cache of the DNS server with:

sudo rndc flush

Save the cache to a file (/var/cache/bind/):

sudo rndc dumpdb

See also:
Configuring Bind9 logs
Configuring Fail2Ban for Bind9

Configure the PTR record on the DNS server

It was necessary to somehow configure the Reverse DNS zone for the mail server, since some servers did not want to receive mail from it.

Let’s assume our domain mail.example.com located on the IP address 192.168.1.100, and 192.168.1.1 – the server of the Internet provider.

You can check from Windows with commands (where 192.168.1.100 for example is the address of our mail server, and 192.168.1.1 DNS on which the request is sent):

nslookup mail.example.com
nslookup 192.168.1.100
nslookup 192.168.1.100 192.168.1.1

In response, the first command will be 192.168.1.100, and in response the second one is nothing (it should be mail.example.com), since the PTR record is not configured in DNS.

From Linux, you can check:

dig -x 192.168.1.100

At the registrar of domain names in DNS we will add the NS-server of the Internet provider ns1.example.com 192.168.1.1.

On the provider’s server (on the test I use Bind9 on Ubuntu Server), open the DNS configuration file for example in the nano editor (CTRL+X for exit, y/x and Enter for saving or canceling changes):

sudo nano /etc/bind/named.conf

And add the following lines:

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/1.168.192.in-addr.arpa";
};

The first line indicates which zone we will manage, the second type – the main one (this DNS will manage it), the third one – in which file the configuration for this zone will be registered.

Open a new file for zone settings:

sudo nano /etc/bind/1.168.192.in-addr.arpa

And add to it:

$TTL 3600
@          IN SOA ns1.example.com. admin.example.com. (
              2016112301       ; Serial
              21600             ; refresh
              3600              ; retry
              3600000           ; expire
              86400 )           ; minimum

        IN  NS ns1.hosting.com.
        IN  NS ns2.hosting.com.

$ORIGIN 1.168.192.in-addr.arpa.
100      IN PTR  mail.example.com.

admin.example.com – the contact address of the person responsible for the zone, the @ symbol is not indicated.
Serial – this is the serial number of the zone file version, it should change to the big side with each change, it is usually written in the form of the year month the number is the number of the change, according to it other DNS determine that it is necessary to update the information.
Refresh – the time interval in seconds through which the secondary server will check whether the information needs to be updated.
Retry – the time interval in seconds through which the secondary server will retry calls on failure.
Expire – the time interval in seconds through which the secondary server will consider the information it has obsolete.
Minimum – the interval of information lifetime on caching servers.
ns1.hosting.com and ns2.hosting.com this is the DNS of this domain.
The number 100 in the last line means the end of IP address 192.168.1, similarly you can specify entries for other domains, for example 101 IN PTR … for 192.168.1.101, etc.

Restart the DNS server to apply the changes.
Bind9 can be commanded by:

sudo /etc/init.d/bind9 restart

Done.

See also:
Configuring Reverse DNS (PTR) in Hetzner